Future Integrated Systems Concept for Preventing 
Aircraft Loss-of-Control Accidents 


Christine M. Belcastro* 

NASA Langley Research Center, Hampton, VA, 23681 
Steven R. Jacobson 1 

NASA Dry den Flight Research Center, Edwards, CA, 93523 


Loss of control remains one of the largest contributors to aircraft fatal accidents 
worldwide. Aircraft loss-of-control accidents are highly complex in that they can result 
from numerous causal and contributing factors acting alone or (more often) in combination. 
Hence, there is no single intervention strategy to prevent these accidents. This paper 
presents future system concepts and research directions for preventing aircraft loss-of- 
control accidents. 


CAST 

FSA 

ICAO 

LOC 

NextGen 

V&V 

VHM 


Nomenclature 

Commercial Aviation Safety Team 
Flight Safety Assurance 
International Civil Aviation Organization 
Loss of Control 

Next Generation Air Transportation System 
Validation and Verification 
Vehicle Health Management 


I. Introduction 

A ircraft loss-of-control is one of the largest contributors to fatal accidents across all vehicle classes and 
operational categories. 1,2 For example, a summary of worldwide commercial jet airplane accidents occurring 
from 1999 through 2008 from Ref. [3] is shown in Figure 1. As indicated in the figure, in-flight aircraft loss of 
control (LOC) resulted in 22 accidents and a total of 1,991 fatalities during this time period. In Figure 1, the 
accidents are assigned to a single occurrence category (based on primary causal factor); however, the other 
categories provide indicators about contributing factors to LOC, and these are shown in red text. These contributing 
factors include: system and component failures (non-engine and engine); damage resulting from mid-air collisions; 
abrupt maneuvers (that can lead to vehicle upset conditions); wind shear, thunderstorms, and turbulence; and icing 
conditions (that can result in vehicle impairment). In fact, aircraft LOC can result from numerous causal and 
contributing factors that occur individually or (more often) in combination. These factors are collectively referred to 
in this paper as “off-nominal conditions.” These “off-nominal” conditions can be categorized as adverse conditions 
occurring onboard the vehicle, external hazards and disturbances, and abnormal flight conditions. 


Adverse onboard conditions include: 


• vehicle impairment (including inappropriate vehicle configuration, contaminated airfoil, and improper 
vehicle loading); 

• system faults, failures, and errors (resulting from design flaws, software errors, or improper maintenance 
actions); 
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• vehicle damage to airframe and engines (resulting from fatigue cracks, foreign objects, overstress during 
upsets or upset recovery); and 

• inappropriate crew action/response (including lack of attention to energy state/configuration, poor energy 
management, pilot-induced oscillations, spatial disorientation, mode confusion, ineffective recoveries, and 
crew impairment). 

External hazards and disturbances include: 

• poor visibility; 

• wake vortices; 

• wind shear, turbulence, and thunderstorms; 

• snow and icing conditions; and 

• obstacles requiring abrupt maneuvers or resulting in collisions. 

Vehicle upsets include: 

• abnormal attitude; 

• abnormal airspeed, angular rates, or asymmetric forces; 

• abnormal flight trajectory; 

• uncontrolled descent (including spiral dive); and 

• stall/departure (including falling leaf and spin). 


Fatalities by CAST/ICAO Common Taxonomy Team (CICTT) 
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Figure 1. Aircraft Accident Statistics for Worldwide Commercial Jet Fleet, 1999 - 2008. 
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Worst-case combinations and time sequences associated with these LOC precursor conditions have recently been 
analyzed for 126 accidents that occurred between 1979 and 2009 and resulted in 6087 fatalities 3 . These 
combinations and sequences can be used in developing and assessing intervention strategies for preventing aircraft 
LOC accidents. In particular, Figure 2 shows an example of a generalized LOC sequence from Reference 3. This 
generalized sequence is representative of 20 accidents and 907 fatalities from the analysis of Ref. 3. The LOC 
sequence of Figure 2 is initiated by a vehicle impairment/damage or system fault/failure condition or an external 
hazard or disturbance, such as wind shear or icing (the latter of which can result in vehicle impairment). The second 
element in this sequence is an inappropriate crew response (including an inappropriate action, control input, or 
inaction). The inappropriate response could result from poor situational awareness under the vehicle impairment or 
external hazard condition, spatial disorientation under poor visibility conditions, mode confusion associated with the 
cockpit automation, or some other condition (e.g., crew incapacitation). The third element of this sequence is a 
vehicle upset condition. A vehicle upset can be defined as “any uncommanded or inadvertent event with an 
abnormal aircraft attitude, rate of change of aircraft attitude, acceleration, airspeed, or flight trajectory,” where 
“abnormal” must be determined relative to phase of flight and aircraft type 4 . As indicated in Figure 2, the LOC 
sequence can be broken (and the associated LOC accident prevented) if effective intervention strategies can be 
developed to avoid/detect adverse vehicle and external hazard conditions, mitigate them when they occur (in an 
effort to maintain acceptable vehicle dynamics properties and effective control capability, and to prevent vehicle 
upset), and upset recovery (if prevention is not successful). Reference [3] also provides sets of LOC sequences that 
are representative of more than 85% of the accidents and fatalities considered in the study. These sequences can be 
used in defining LOC scenarios that must be accommodated for significantly reducing LOC accident risk and 
preventing the associated accidents. 
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Figure 2. Example of a Generalized LOC Accident Sequence (see Ref. [3]). 


Due to the complexity of aircraft LOC events (i.e., accidents and incidents), no single intervention strategy can 
be identified to effectively prevent them. Moreover, there are currently no coordinated or integrated systems, 
procedures, or research efforts for addressing aircraft LOC. Current aircraft control systems are primarily designed 
for operation under nominal conditions, and often disengage (i.e., return control authority to the pilot) under off- 
nominal conditions. Current flight deck systems provide limited information under off-nominal conditions 
associated with aircraft LOC. While many current systems have built-in tests for assessing system, subsystem, or 
component health, these lack the integrated capability for assessing vehicle health across them, or for the prevention 
of cascading failures across multiple systems. There is also no existing capability to assess vehicle health and 
external hazards in terms of their impact on flight safety. Improved crew training and operational procedures for 
off-nominal conditions might enable improved crew response during LOC events, but this is dependent on the 
capability to effectively characterize vehicle dynamics and control characteristics under off-nominal conditions. 
Advanced onboard systems that provide effective detection and resilience under off-nominal conditions could enable 
improved situational awareness and vehicle response under LOC events, but this requires the effective integration 
and validation of the associated technologies. 

This paper attempts to address aircraft LOC from a holistic perspective, with an emphasis on the research and 
development of onboard integrated systems technologies that provide avoidance, detection, mitigation, and recovery 
capabilities for effectively breaking a wide variety of LOC sequences. Section II describes the holistic approach, 
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presents a future integrated systems concept for preventing aircraft LOC accidents, and evaluates the potential 
effectiveness of such an approach relative to breaking the LOC sequence of Figure 2. Section III discusses 
implementation and commercialization strategies for the onboard integrated systems technologies presented in 
Section II. Section IV summarizes the results of the paper and provides some concluding remarks. A detailed 
process for the validation and verification of the integrated systems technologies of this paper is presented in 
Reference [5]. 


II. Future Integrated Systems Concept 

In order to effectively prevent aircraft LOC accidents, a holistic approach must be taken that includes: 

• the capability to characterize vehicle dynamics and control effects in off-nominal conditions; 

• integrated onboard systems that can assess vehicle health and flight safety in real-time, enable effective 
mitigation, provide assistance or automatic recovery under off-nominal conditions, and provide 
effective situational awareness and decision support to the crew; and 

• the capability to perform validation and verification (V&V) of these technologies for their certification. 

Figure 3 summarizes the holistic approach to be taken in this paper. Advanced modeling and simulation 
technologies must be developed for characterizing off-nominal condition effects on vehicle dynamics and control 
characteristics, including vehicle failures and damage, vehicle upset conditions, wind shear and turbulence, wake 
vortices, icing, and key combinations of these (as identified in Reference [3]). This capability can be utilized for 
improved crew training under off-nominal conditions, and for the development and validation of advanced 
onboard integrated systems technologies. 

Databases, models, and real-time modeling methods can also be utilized onboard the aircraft for 
characterizing and assessing the effects of off-nominal conditions. Vehicle health management (VHM) 
technologies must be developed for continually assessing and predicting the health of the airframe, propulsion 
system, and avionics systems in real-time, as well as remaining useful life. In-situ sensing and estimation 
methods must be developed for distinguishing between anomalous system behavior and external disturbances. 

Flight safety assurance (FSA) technologies must be developed to provide the capability of continually 
assessing and predicting the impact of off-nominal conditions on vehicle flight safety, and to provide resilient 
guidance and control capabilities under off-nominal conditions. These capabilities can be utilized onboard the 
aircraft for mitigation of system failures and vehicle impairment or damage, external disturbance rejection, and 
upset prevention and recovery. They can also be utilized to support improved crew training, especially for 
providing insight into non-intuitive control strategies required for upset recovery. Resilient guidance functions, 
such as trajectory generation under vehicle constraints (e.g., vehicle impairment or damage), must also be 
developed. 

Effective crew-system interface technologies must be developed for providing improved situational 
awareness and crew response under off-nominal conditions. These technologies include effective displays and 
aural methods for notification and cueing, and variable autonomy systems that enable optimal partitioning of 
authority between the crew and automation. Effective information exchange and coordination between the 
vehicle and airspace operations must also be achieved. Remote sensing technologies must be developed for 
avoidance of external hazards and disturbances. 

Validation and verification (V&V) technologies must be developed for the comprehensive evaluation of 
these technologies, and to enable the identification of system limitations and constraints as well as boundaries 
between safe and unsafe operating conditions. 
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Figure 3. A Holistic Approach for Preventing Aircraft LOC Accidents. 


Based on the holistic approach of Figure 3, an onboard integrated systems concept can be developed. One such 
concept is presented in Figures 4 and 5, with Figure 4 providing an overview and Figure 5 providing a more detailed 
depiction of subsystem functions and capabilities. The core subsystems include vehicle health management (shown 
in green), vehicle flight safety management and resilient control (shown in blue), and crew-system interfaces (shown 
in yellow). Onboard modeling capability is reflected by purple. These core functions and capabilities directly 
correlate to those depicted in Figure 3. Multi-colored boxes represent shared functions between the associated 
subsystems. 

A detailed description of the AIRSAFE System concept, including subsystem interfaces, is given in Reference 
[6], and a detailed description of the associated V&V process is provided in Reference [7]. A synopsized 
description of the AIRSAFE System concept with additional insights is provided in the following subsections, as 
well as an assessment of the effectiveness of the AIRSAFE System concept in providing LOC sequence 
interventions. 
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Figure 4. Aircraft Integrated Resilient Safety Assurance & Failsafe Enhancement (AIRSAFE) System 

Concept - Overview. 



Figure 5. Aircraft Integrated Resilient Safety Assurance & Failsafe Enhancement (AIRSAFE) System 

Concept - Functions. 
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A. Flight Safety Assurance 

Flight safety has been a primary goal since the inception of aircraft, and assuring flight safety has been an 
implicit objective of aviation research and technology development for decades. However, the concept of flight 
safety is surprisingly ill- defined. In fact, there does not appear to be a comprehensive definition of flight safety that 
can be quantified, measured, or estimated in an attempt to explicitly assure safe flight. In the context of preventing 
aircraft LOC accidents, it is proposed that such a definition and associated metrics for measuring it be developed. 
This would enable the development of algorithms for the onboard estimation of flight safety margins and risk factors 
(or “S-Factor”) resulting from off-nominal conditions related to LOC events and actions taken (or not taken) to 
mitigate them. In this context, the essence of flight safety centers around vehicle dynamics and control 
characteristics. Figure 6 illustrates the concept of the proposed “S-Factor” . Some components of “S-Factor” might 
include: 


• stability margin, 

• controllability and maneuverability margins, 

• vehicle energy state (including energy rate and energy margin), 

• prediction of entering into an abnormal flight trajectory, 

• recoverability and its associated margin and time-to-recover requirement, 

• crew state, and 

• probability of loss of control. 

Other aspects of flight safety include: 

• upset prediction and detection; 

• dynamic envelope estimation for assessing changes to safe operation resulting from vehicle failures, 
impairment or damage; 

• vehicle health state detection and prediction (by the vehicle health management system) and the dynamics 
and control impacts of any identified faults and failures; 

• crew and automation control input monitoring and impacts assessment; and 

• vehicle configuration monitoring and assessment for detecting inappropriate vehicle configuration relative 
to flight phase. 

Energy state (i.e., vehicle total energy) can play a key roll in predicting low-energy upset conditions such as stall. 
Crew state (e.g., current work load, mission phase, and crew alertness) must be considered as a component of flight 
safety, because control inputs and actions (or inaction) by the crew play a critical role in vehicle flight safety as well 
as appropriate function partitioning. 
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Figure 6. Graphic Depicting S-Factor Concept. 


As indicated in Figure 6, these flight safety components must be monitored in the context of determining the impacts 
of off-nominal conditions associated with external hazards and disturbances, adverse onboard conditions, and upset 
conditions, as well as the impact and effectiveness of the interventions being taken by the crew and automation 
(especially for their mitigation and recovery). While “S-Factor” implies an overall metric for vehicle flight safety, 
and such a metric might be useful as an indicator of the overall safety state of the vehicle, the components associated 
with it must also be retained in order to ascertain what aspect of flight safety is being compromised. This 
knowledge could be used in determining a corrective action for restoring (or optimizing) flight safety. 

Figure 7 illustrates the concept of flight safety assurance. The dashed box on the left illustrates the numerous 
sources of off-nominal conditions related to aircraft LOC events, including vehicle/system failures and damage 
(which could occur in the airframe, propulsion system, aircraft avionics and other systems and components), 
external hazards and disturbances (resulting from icing, wind shear and turbulence, wake vortices, or 
electromagnetically harsh environments that can affect the proper function of vehicle systems), abnormal flight 
conditions (i.e., vehicle upsets and abrupt maneuvers taken for collision avoidance), and onboard errors made by the 
crew and the automation. 
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Figure 7. Flight Safety Assurance Concept. 


Flight safety assurance under all of these conditions will require a coordinated set of capabilities, as illustrated by 
the dashed box in the middle of Figure 7. Vehicle health management technologies are needed to detect and predict 
onboard failures and damage. Information from look-ahead sensors is needed to detect and avoid external hazards, 
and information from in-situ sensors is needed to detect vehicle entry into external disturbances and vehicle upset 
conditions. Real-time modeling and simulation technologies are needed to characterize changes to vehicle dynamics 
and control characteristics resulting from impairment or damage and external disturbances. Resilient control 
technologies are needed to mitigate the impacts of off-nominal conditions and to prevent or recover from abnormal 
flight conditions. Variable autonomy flight deck technologies are needed to improve crew situational awareness and 
optimize vehicle (i.e., crew/automation) response under off-nominal conditions. However, in order to explicitly 
assure flight safety, these technologies and functions must be coordinated, and the impacts of off-nominal conditions 
and actions being taken in their mitigation must be continually assessed and managed relative to flight safety. This 
is a key point and a missing component of aviation safety research efforts to date. Thus, flight safety management 
technologies must be developed to provide a real-time flight safety supervisory capability that actively assures 
vehicle flight safety under off-nominal conditions. These technologies would provide the capability to explicitly 
monitor vehicle flight safety, determine risks to flight safety posed by off-nominal conditions and interventions 
being taken, and identify corrective actions and countermeasures that are needed to preserve or recover flight safety. 
Flight safety management technologies would also provide a key integration capability for vehicle health 
management, resilient control, and crew-interface functions. 

The following subsections provide a discussion of future concepts in each of the core subsystem functions of 
Figure 7 (and Figures 4 and 5) as they relate to flight safety assurance, as well as references for some recent 
accomplishments in these areas. 
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B. Resilient Guidance and Control 


Resilient guidance and control technologies are a necessary component in assuring vehicle flight safety under 
off-nominal conditions associated with aircraft LOC events. These technologies enable stability assurance, 
performance and handling qualities optimization, and feasible trajectory generation based on achievable vehicle 
dynamics under impairment or damage conditions. These capabilities enable off-nominal conditions mitigation, 
upset prevention, and safe maneuvering and landing of the aircraft. Some recent research accomplishments in 
effectively mitigating vehicle failure and damage effects using adaptive control techniques are described in 
References [8] and [9], and recent results on trajectory generation and guidance under off-nominal conditions are 
given in References [10], [11], and [12]. Moreover, utilization of key flight safety components as control objectives 
would explicitly provide some measure of flight safety assurance through the resilient control function. 

Implicit in these resilient control capabilities is the need for integrated flight and propulsion control for off- 
nominal conditions mitigation, energy management, and upset prevention and recovery. Energy state (including 
vehicle total energy and energy rate) is a key factor in predicting low-energy vehicle upsets (e.g. stall) and depends 
on the phase of the mission. For take off, climb out and cruise, the crew is mostly concerned about total energy, with 
airspeed being the most crucial factor so as not to stall the aircraft. Additionally, the health and configuration of the 
vehicle affect the ability to maintain a healthy energy state. In order to ensure a safe approach and landing, the crew 
is concerned about energy state, but also the relative position of the vehicle to the runway, the health of the 
propulsion system and the configuration of the vehicle. The engines are a powerful control effector that can be 
utilized for control redundancy in the event of control component failures, and to counter any resulting asymmetric 
forces and moments. Moreover, in the event of complete loss of control surfaces (e.g., due to loss of the hydraulics 
systems), the engines have been shown to provide flight control capability for most transport aircraft 13 . 
Unrecoverable vehicle upsets often result from low-energy vehicle conditions, and integrated flight-propulsion 
control can be utilized in managing the energy state of the aircraft to prevent these low-energy upset conditions. 
The engines can also be a powerful control effector for upset recovery. Engines are normally operated under 
limitations and constraints designed to improve fuel economy and extend useful engine life. Under emergency 
conditions, however, relaxation of these limitations and constraints can enable vehicle recovery and safe landing. 
Recent research into enhanced engine performance under emergency conditions is provided in Reference [14]. 

While important research accomplishments have been made in each of these areas, an integrated resilient 
guidance and control architecture is needed within which all off-nominal conditions associated with LOC can be 
mitigated, flight safety (at least partially) assured, and upset recovery provided (when needed). This will require the 
ability to handle multiple control objectives across all phases of normal and abnormal flight as well as the utilization 
in real time of vehicle safety status information provided by the flight safety management system. This might 
include changes to achievable vehicle dynamics and safe operating envelopes, changes to vehicle health state that 
directly impact flight safety and vehicle control, as well as changes to autonomy requirements (e.g., in the event of 
crew incapacitation). For NextGen 15 , terminal area operations with an emphasis on takeoffs and landings under 
wake vortex and wind shear conditions as well as self-separation and abrupt maneuvering for collision avoidance 
(especially under vehicle impairment conditions) should be included. The control architecture should also be 
extensible to enable phased development and implementation of control capabilities for current and NextGen 
operations. The broad capabilities and resilience requirements may require the integration of multiple control 
approaches (adaptive and non-adaptive) or the development of a hybrid approach. 

C. Vehicle Health Management 

Vehicle health management technologies are needed for continually assessing and managing the state of the 
airframe, propulsion system, and key aircraft systems and components. This involves the detection of anomalies and 
errors in an effort to prevent potentially catastrophic failures and damage, as well as failure and damage detection, 
identification, characterization, and containment. Diagnostic algorithms should be developed for identifying and 
characterizing the severity of faulty components, and prognostic algorithms should be developed for predicting 
failures and estimating remaining useful life. These algorithms must be able to perform correctly in the presence of 
external disturbances. Determination of external hazards and disturbances in the operating environment through in- 
situ sensing or some other means is therefore an inherent capability needed by the health management system, as 
indicated in Figure 5. Containment of faults, failures, and damage is accomplished through redundancy 
management, vehicle design, self-healing materials, and self-recovering avionics systems. Monitoring and assuring 
a safe onboard environment (including the cockpit, cabin, cargo and equipment bays) are also the ultimate 
responsibility of the health management system, as indicated in Figure 5. Recent research accomplishments in 
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vehicle health management relative to the propulsion system and airframe structure are given in References [16] and 
[17], respectively, recent results on prognostics is given in Reference [18], and some recent results on self-healing 
materials is given in Reference [19]. Recent research results on high-temperature sensing systems for propulsion 
health management are given in References [20] and [21]. Research into self-recovering avionics systems is given 
in References [22] and [23]. Integrated health management functions that enable vehicle-level health state 
assessment, management, and containment are ultimately needed for flight safety assurance and LOC accident 
prevention. 

D. Onboard Modeling, Simulation, and Database Management 

Onboard modeling, simulation, and database management capabilities are needed to support vehicle safety state 
assessment and management, vehicle health management, and resilient control functions. Real-time system 
identification technologies are needed to characterize changes to vehicle dynamics and control characteristics 
resulting from off-nominal conditions (e.g., icing and damage conditions). Faster-than-real-time simulation 
technologies are needed for assessing and predicting impacts to vehicle flight safety of off-nominal conditions and 
interventions being taken by the crew and automation. Simplified models of key off-nominal condition effects (e.g., 
structural load impacts under vehicle damage), developed from ground-based high-fidelity models and simulations, 
must be developed for onboard utilization in characterizing off-nominal condition effects during flight. Fault, 
failure, and damage models and databases generated from ground-based modeling efforts should be updated and 
maintained onboard the vehicle for in-flight use, diagnostics and prognostics (including the determination of 
remaining useful life), and condition-based maintenance. Recent results on real-time modeling technologies are 
given in Reference [24]. 

E. Crew-System Interfaces for Improved Situational Awareness and Variable Autonomy 

The crew are intelligent, adaptive, and highly capable components of the vehicle during flight operations, and 
improved flight deck technologies are needed for enhanced situational awareness, decision support, and effective 
(and optimal) partitioning of crew/automation functioning under off-nominal conditions. Integrated multi-modality 
(e.g., visual and aural) notification and cueing systems are needed to provide improved situational awareness under 
off-nominal conditions. Integrated information processing (e.g., distributed data fusion) functions are needed to 
provide information from the vehicle health management, resilient control, and flight safety management systems to 
the crew in a form that is useful and timely. Variable autonomy technologies are needed to assess vehicle health, 
flight safety, and crew states and to allocate flight functions and control authority appropriately under off-nominal 
conditions. As indicated in Figure 5, aspects of this assessment may include autonomy requirements pertinent to 
recovery time or maneuver requirements, vehicle constraints and their impacts, and handling qualities. Crew state 
might also be assessed relative to the detection and characterization of any existing level of incapacitation or 
distraction. Crew state is an important factor in predicting the onset of off nominal conditions and consists of a 
number of factors, such as current work load, mission phase, and crew alertness. For example, a crew with low 
workload that is surprised by a sudden onset of an off nominal condition, or a crew with a high workload after a long 
mission will result in a reduced S-factor metric. Recent results on flight deck technologies for improved crew 
situational awareness are given in Reference [25], and a variable autonomy interface is described in Reference [26]. 

F. Potential Effectiveness in Preventing Aircraft Loss-of-Control Accidents 

In the preceding sections, a holistic approach has been proposed for reducing safety risk associated with aircraft 
loss-of-control events. Figure 8 depicts an assessment of the effectiveness of such a strategy relative to providing 
interventions to break the LOC sequence of Figure 2. The colored arrows and associated text describes 
interventions at each stage of the LOC sequence associated with each of the technology development areas depicted 
in Figures 3-5 and 7. That is, purple correlates to vehicle dynamics modeling and simulation technologies, green 
reflects vehicle health management technologies, blue is indicative of flight safety management and resilient control 
technologies, and yellow represents crew interface technologies. The interventions will be discussed relative to each 
stage in the LOC sequence moving from left to right. 

Starting at the left of Figure 8, and before the flight even takes off, vehicle health management (VHM) 
technologies would help to prevent failures and damage from occurring through condition-based maintenance and 
non-destructive evaluation methods for improved vehicle inspections. Once the flight takes off, remote (look-ahead) 
sensors would help to avoid areas of external hazards or disturbance. Flight safety assessment technologies would 
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provide the capability to anticipate flight safety hazards or risks at initial inception or with a slight lead time. The 
onboard modeling capability for characterizing off-nominal conditions would support this assessment. Crew 
interface technologies would provide the crew with warning of impending off-nominal conditions and flight safety 
impacts or risks. All of these technologies would contribute to the avoidance of vehicle impairment and external 
hazards conditions, and therefore could provide multiple opportunities for intervention very early in the LOC 
sequence. 


Avoid / Detect Mitigate Recover 

/ * \ 


Normal Flight 

Vehicle Impairment 


Inappropriate 


Vehicle 

Safe 

Flight 


/ External Hazard 


Crew Response 


Upset 



• Vehicle Impairment/Fault/Failure/Damage • Poor Situational Awareness / Distraction 

• External Flazard or Disturbance • Spatial Disorientation (Poor Visibility) 

• Mode Confusion (System Complexity) 

• Off-Nominal Condition Characterization • Flight Safety Assessment & 
Technologies Control Mitigation / Upset 

Prevention Technologies 


• Prevention /Avoidance 
Technologies 

- Faults/Failures/Damage 

> Condition-Based 
Maintenance 

> Nondestructive Inspection 
Methods 

- Remote (Look-Ahead) 

Sensors 

• Off-Nominal Condition 
Characterization Technologies 

- Onboard Models & Databases 

• Flight Safety Assessment 
Technologies 

- Prediction of Flight Safety 
Margins & Risks 

• Situation Awareness 
Technologies 

- Warnings of Impending Off- 
Nominal Conditions 

- Notification of Potential 
Impacts to Flight Safety 


- Improved CrewTraining under Off-Nominal 
Conditions 

- Updating of Onboard Models / Databases 

• Detection / Diagnostic / Prognostic/ 
Containment Technologies 

- Impairment/Faults/Failures/Damage 

- Redundancy Management 

- I n-Situ Sensors for External Disturbances & 
Hazards 

• Flight Safety Assessment & Control 
Mitigation Technologies 

- Flight Safety Margin/Constraints/Risk 
Estimation of Off-Nominal Condition Effects 

- Control Commands for Mitigation of Off- 
Nominal Conditions 

- Computation of Safe Trajectories 

• Situational Awareness Technologies 

- Warnings of Flight Safety Margin 
Impacts/Constraints/Risks 

- Cueing on Safe Flight of Vehicle 

- Variable Autonomy Interface 


- Flight Safety Margin/ Constraints / 
Risk Estimation 

- Control Commands for Mitigation 
of Off-Nominal Conditions 

- Mitigation of Inappropriate Crew 
Inputs 

- Upset Prediction/Prevention 

- Computation of Safe Trajectories 
for Mission Completion and/or Safe 
Landing 

• Situational Awareness 
Technologies 

- Warnings of Impending Upset 

- Variable Autonomy Interface 


• Abnormal Attitudes 

• Abnormal Trajectory 

• Stall/Departure 

• Flight Safety Assessment & 
Control Mitigation / Upset 
Recovery Technologies 

- Flight Safety Margin/ Constraints / 
Risk Estimation of Upset Condition 

- Control Commands for Mitigation 
of Off-Nominal Conditions 

- Control Commands & Safe 
Trajectories for Upset Recovery 


- Notification of Constraints 

- Upset Recovery Cueing 

- Variable Autonomy Interface 


• Off-Nominal Condition Characterization Technologies 

- Improved CrewTraining under Upset Conditions 

- Updating of Onboard Upset Models / Databases 

• Prognostic / Containment Technologies 

- Impairment/Faults/Failures/Damage 

- Redundancy Management 


Situational Awareness 
Technologies 


Figure 8. Illustration of LOC Sequence Intervention Effectiveness. 

Once a vehicle impairment or external hazard condition has occurred, the crew would be better prepared to 
appropriately respond as a result of improved training. This improved training would be enabled by off-nominal 
conditions models and simulations that provide insight into vehicle dynamics and control impacts. The onboard 
modeling technologies allow for models and databases to be rapidly updated to reflect the actual off-nominal 
condition being experienced and its impacts. This would enable the accurate detection of impairment and hazard 
conditions by the VHM system, as well as associated diagnostics, prognostics, and containment functions. In-situ 
sensing and estimation capabilities would allow external hazards to be distinguished from faulty data. Flight safety 
assessment and resilient control technologies would enable rapid assessment and prediction of off-nominal condition 
impacts and risks, mitigation of these effects through automatic control or guidance to the crew, and determination 
of safe (and achievable) trajectories that the aircraft can safely fly. Crew interface technologies would enable the 
rapid and effective communication of the off-nominal conditions and their effects to the crew (for improved 
situational awareness), guidance to the crew on their mitigation, and variable autonomy for optimizing the response 
of the crew and automation. Providing appropriate information to the crew in order to formulate an optimum 
response is crucial in an off nominal condition due to the unforgiving flight environment and rapid onset of 
catastrophic conditions. These technologies working together would provide the capability to rapidly detect and 
mitigate off-nominal conditions while preventing an inappropriate response by the crew. 

If an inappropriate crew response did occur, the flight safety management and resilient control technologies 
would immediately detect risk associated with the action (or inaction), and would mitigate their effects to restore 
flight safety while preventing a vehicle upset or damage. Warnings would be provided to the crew of impending 
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flight safety risks associated with the inappropriate response and of mitigations being taken. Safe trajectories would 
be generated for continuing the flight or landing the vehicle, and guidance for following them would be provided to 
the crew. If an emergency landing was indicated, safe landing sites would be identified and guidance to the best site 
would be communicated to the system and crew. These technologies working together would provide the capability 
to reduce the impact of inappropriate crew responses while mitigating the existing off-nominal conditions and 
preventing a vehicle upset (or damage) condition. 

If a vehicle upset condition occurs, the flight safety management and resilient control technologies would 
provide the capability to detect and arrest the upset early in its progression as well as the capability to effect a full 
recovery, while continuing to mitigate the existing off-nominal conditions. Safe recovery trajectories would be 
generated for accomplishing the recovery in the context of the other off-nominal conditions being experienced so as 
to prevent vehicle damage during the recovery. Throughout the upset detection and recovery, information would be 
communicated to the crew for improved situational awareness and effective/optimal involvement by the crew. 
Throughout the upset event, the crew would be better able to understand its effect on vehicle dynamics and control, 
because of improved crew training in upset conditions enabled by enhanced modeling and simulation of off-nominal 
conditions. The VHM system would continue to contain any vehicle impairment condition and would continually 
assess for any impacts on the vehicle (e.g., changes to airframe structure or engine performance), and provide this 
information to the system and crew. All of these technologies working together would provide the capability to 
mitigate the upset condition early in its inception and to fully recover from it while preventing a LOC accident from 
being the ultimate result. 

The holistic approach being recommended in this paper provides multiple opportunities for intervention at every 
stage of a LOC event. Although the generalized LOC sequence of Figure 2 is used in this analysis, a similar result 
could be obtained for any of the LOC sequences identified in Reference [3]. Providing multiple opportunities to 
break these sequences at any stage would result in a high-confidence strategy for successfully preventing LOC 
accidents. 


III. System Implementation and Commercialization 

The integrated AIRSAFE System concept presented in Section II is a long-term research and technology 
development approach for preventing aircraft LOC accidents under current and NextGen operations. The fully 
integrated AIRSAFE System with all of the proposed functionality would be a long-term future capability. 
However, a modular system architecture and a phased implementation strategy would enable the deployment and 
utilization of AIRSAFE System functions and capabilities as they are developed, validated, and certified. Figure 9 
illustrates a potential implementation strategy that would enable phased deployment in the near, mid, and far-term 
timeframes. 

In the near term or retrofit market, AIRSAFE System technologies could be confined to data collection, analysis, 
and crew notifications and warnings. Crew training for upset conditions would also be enabled through the 
development of aircraft model and simulation enhancements developed to characterize vehicle upset conditions 
outide of the normal flight envelope 27 . Also in the near term, an AIRSAFE System V&V process definition with 
some improved methods and tools would be available. In the mid-term, and for fly-by- wire (FBW) aircraft, 
AIRSAFE System technologies might include notification, guidance, and cueing as well as pilot-engaged automatic 
control for off-nominal conditions mitigation and upset prevention. Onboard databases and models would be 
available for use in flight safety assessment and vehicle health management functions. Crew training improvements 
for off-nominal conditions (occurring individually) might also be available, as well as improved V&V methods, 
tools, and testbeds. In the far-term, the AIRSAFE System might include full functional integration of vehicle health 
management, flight safety management and resilient control, and variable autonomy crew interface systems. 
Onboard modeling and database management would also be a part of the long-term capability, as well as improved 
crew training under multiple off-nominal conditions. Improved vehicle system design and a fully integrated V&V 
process might also be available in the far-term timeframe. The main point being illustrated by Figure 9 is that there 
should be a practical and realistic strategy identified for developing, implementing and fielding these technologies 
using a modular architecture that would allow phasing in capabilities and functions over time. 
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Figure 9. Illustration of Potential Implementation Strategy with Capabilities Phased In Over Time. 


Thought should also be given to the development of a business plan for technology insertion in to the market. 
Figure 10 illustrates an example of one such strategy. The aircraft market is separated into transport and general 
aviation (GA) aircraft. Transport aircraft are subdivided into large passenger carriers and regional, cargo, and 
military carriers. GA aircraft are subdivided into business jets and military unmanned air vehicles (UAVs) and 
personal GA aircraft. The main point being made in Figure 10 is that the AIRSAFE System technologies will not be 
transitioned into all of these aircraft simultaneously. The strategy illustrated in Figure 10 is that regional, cargo, 
and/or military carriers may lead large passenger carriers in technology transition to transport aircraft, and business 
jets and UAVs may lead personal GA aircraft technology transition to GA aircraft. These realities should be 
recognized and realistic strategies developed for technology insertion in the appropriate markets. 
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Figure 10. Illustration of Potential Commercialization Strategy. 


IV. Conclusion 

Aircraft loss-of-control (LOC) is a significant contributor to aircraft accidents and fatalities. LOC accidents are 
also highly complex in that they can result from a wide variety of causal and contributing factors that occur 
individually or (more often) in combination. This paper proposed a holistic research and technology development 
approach for reducing aircraft LOC accidents, and an associated integrated system concept, called the Aircraft 
Integrated Resilient Safety Assurance and Failsafe Enhancement (AIRSAFE) System. The holistic approach 
included the development of (i) modeling and simulation technologies for characterizing vehicle dynamics and 
control characteristics under off-nominal precursor conditions associated with LOC events; (ii) vehicle health 
management technologies for the detection, identification, characterization, and containment of vehicle and system 
failures and damage (as well as their prevention though improved maintenance, inspection, and vehicle design); 

(iii) flight safety management and resilient control technologies for the rapid assessment of off-nominal condition 
effects and their mitigation; and (iv) crew interface technologies for improved situational awareness and variable 
autonomy under off-nominal conditions. This holistic technology development approach was considered relative to 
its potential effectiveness in providing interventions at every stage of a generalized LOC sequence, and this 
approach appears to provide multiple intervention opportunities at all stages of the sequence. Technology 
implementation and transition strategies were also discussed for the near, mid, and far term timeframes. 
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